Automatic Security Testing with Static and Dynamic Analysis
Most Drupal security vulnerabilities are discovered via manual code reviews or by accident. This session will introduce two automated approaches to detecting Cross-Site Scripting (XSS) and SQL Injection (SQLi) security vulnerabilities and present progress to date in applying them to Drupal. Dynamic Analysis, or "data tainting," involves tagging actual data within a running program received from untrusted sources as "tainted," propagating the taintedness to any data derived from tainted data, and detecting when tainted data is used in dangerous circumstances. For example, data tainting would detect when any data derived from unsanitized GET request parameters is outputted within HTML. Static Analysis involves performing data-flow analysis directly on source code to detect when certain kinds of security vulnerabilities are possible. Like Dynamic Analysis it sometimes uses a data tainting model but instead of operating within a live running program on real data it studies all possible code paths within a program to identify potential problems. Both dynamic and static analysis techniques have proved effective at identifying security vulnerabilities in Drupal. This session will describe how both techniques work and show examples of problems each has found.
Audio/Visual sound, color